WordPress Plugin Vulnerabilities

World Travel Information <= 1.0.0 - Reflected Cross-Site Scripting

Description

The plugin does not escape the $_SERVER['PHP_SELF'] parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
world-travel-information
No known fix

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
d465ec13-0954-4e3a-898a-91ac87c6d623

Timeline

Publicly Published
2021-10-05 (about 4 years ago)
Added
2021-10-05 (about 4 years ago)
Last Updated
2021-10-05 (about 4 years ago)

Other

Published
Title
Published
2023-09-27
Title
Font Awesome More Icons <= 3.5 - Contributor+ Stored Cross-Site Scripting
Published
2024-07-08
Title
Ultimate Blocks < 3.2.0 - Contributor+ Stored XSS
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ Stored XSS via aux_gmaps Shortcode
Published
2022-01-31
Title
Fotobook <= 3.2.3 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
GroupDocs Signature 1.2.0 - grpdocs-dialog.php Multiple Parameter XSS